|
 |
537b07 |
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
|
|
|
537b07 |
index e55b014b2c..431ea738b8 100644
|
|
|
537b07 |
--- a/runtime/nsd_ossl.c
|
|
|
537b07 |
+++ b/runtime/nsd_ossl.c
|
|
|
537b07 |
@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
|
|
|
537b07 |
|
|
|
537b07 |
/* Loop through ERR_get_error */
|
|
|
537b07 |
while ((un_error = ERR_get_error()) > 0){
|
|
|
537b07 |
- LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, severity,
|
|
|
537b07 |
+ "nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
|
|
|
537b07 |
}
|
|
|
537b07 |
}
|
|
|
537b07 |
|
|
|
537b07 |
@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
|
|
|
537b07 |
if(pThis->bReportAuthErr == 1) {
|
|
|
537b07 |
errno = 0;
|
|
|
537b07 |
LogError(0, RS_RET_INVALID_FINGERPRINT,
|
|
|
537b07 |
- "nsd_ossl:error:"
|
|
|
537b07 |
- " peer fingerprint '%s' unknown - we are "
|
|
|
537b07 |
- "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
|
|
|
537b07 |
+ "nsd_ossl:error: peer fingerprint '%s' unknown - we are "
|
|
|
537b07 |
+ "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
pThis->bReportAuthErr = 0;
|
|
|
537b07 |
}
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
|
|
|
537b07 |
@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
|
|
|
537b07 |
cstrFinalize(pStr);
|
|
|
537b07 |
errno = 0;
|
|
|
537b07 |
LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized - "
|
|
|
537b07 |
- "not permitted to talk to it. Names: %s",
|
|
|
537b07 |
- cstrGetSzStrNoNULL(pStr));
|
|
|
537b07 |
+ "not permitted to talk to it. Names: %s",
|
|
|
537b07 |
+ cstrGetSzStrNoNULL(pStr));
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
pThis->bReportAuthErr = 0;
|
|
|
537b07 |
}
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
|
|
|
537b07 |
@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
|
|
|
537b07 |
if(pThis->bReportAuthErr == 1) {
|
|
|
537b07 |
errno = 0;
|
|
|
537b07 |
LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
|
|
|
537b07 |
- "not permitted to talk to it");
|
|
|
537b07 |
+ "not permitted to talk to it");
|
|
|
537b07 |
pThis->bReportAuthErr = 0;
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
}
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
|
|
|
537b07 |
}
|
|
|
537b07 |
@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
|
|
|
537b07 |
if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
|
|
|
537b07 |
if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
|
|
|
537b07 |
LogError(0, RS_RET_CERT_EXPIRED,
|
|
|
537b07 |
- "nsd_ossl:CertValidity check"
|
|
|
537b07 |
-"- not permitted to talk to peer: certificate expired: %s",
|
|
|
537b07 |
+ "nsd_ossl:CertValidity check - not permitted to talk to peer: "
|
|
|
537b07 |
+ "certificate expired: %s",
|
|
|
537b07 |
X509_verify_cert_error_string(iVerErr));
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
|
|
|
537b07 |
} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
|
|
|
537b07 |
LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
|
|
|
537b07 |
- "nsd_ossl:CertValidity check"
|
|
|
537b07 |
-"- warning talking to peer: certificate expired: %s",
|
|
|
537b07 |
+ "nsd_ossl:CertValidity check - warning talking to peer: "
|
|
|
537b07 |
+ "certificate expired: %s",
|
|
|
537b07 |
X509_verify_cert_error_string(iVerErr));
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
} else {
|
|
|
537b07 |
dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
|
|
|
537b07 |
X509_verify_cert_error_string(iVerErr));
|
|
|
537b07 |
@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
|
|
|
537b07 |
} else {
|
|
|
537b07 |
LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
|
|
|
537b07 |
"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_CERT_INVALID);
|
|
|
537b07 |
}
|
|
|
537b07 |
} else {
|
|
|
537b07 |
@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
|
|
|
537b07 |
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
|
537b07 |
if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
|
|
|
537b07 |
LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
|
|
|
537b07 |
-"No shared curve between syslog client and server.");
|
|
|
537b07 |
+ "No shared curve between syslog client and server.");
|
|
|
537b07 |
}
|
|
|
537b07 |
#endif
|
|
|
537b07 |
sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
|
|
|
537b07 |
@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
|
|
|
537b07 |
resErr == SSL_ERROR_WANT_WRITE) {
|
|
|
537b07 |
pNsd->rtryCall = osslRtry_handshake;
|
|
|
537b07 |
pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
|
|
|
537b07 |
- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
|
|
|
537b07 |
-"TLS handshake failed between syslog client and server.");
|
|
|
537b07 |
dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
|
|
|
537b07 |
"immediately - setting to retry (this is OK and normal)\n");
|
|
|
537b07 |
FINALIZE;
|
|
|
537b07 |
@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
|
|
|
537b07 |
} else {
|
|
|
537b07 |
osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
|
|
|
537b07 |
+ "nsd_ossl:TLS session terminated with remote syslog server.");
|
|
|
537b07 |
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
|
|
|
537b07 |
}
|
|
|
537b07 |
}
|
|
|
537b07 |
@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
|
|
|
537b07 |
conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
|
|
|
537b07 |
dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
|
|
|
537b07 |
|
|
|
537b07 |
- LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
|
|
|
537b07 |
-"TLS Connection initiated with remote syslog server.");
|
|
|
537b07 |
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
|
|
|
537b07 |
+ "TLS Connection initiated with remote syslog server.");
|
|
|
537b07 |
/*if we reach this point we are in tls mode */
|
|
|
537b07 |
DBGPRINTF("Connect: TLS Mode\n");
|
|
|
537b07 |
if(!(pThis->ssl = SSL_new(ctx))) {
|